fix: add check for client authorization before retrieving token string #2327

Yuan325 · 2026-01-16T19:03:42Z

Previous refactoring (#2273) accidentally removed the authorization checks prior to token retrieval. This issue went unnoticed because the integration tests were disabled. I am re-adding the necessary checks.

gemini-code-assist · 2026-01-16T19:04:04Z

Summary of Changes

Hello @Yuan325, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request rectifies a security and functional regression by re-establishing crucial client authorization checks across various Cloud Healthcare API tools. The core change involves conditionally parsing bearer tokens only when client authorization is enabled, preventing unnecessary token operations and ensuring that API calls are properly authenticated and authorized as intended. This fix enhances the robustness and security posture of the affected tools.

Highlights

Re-introduction of Client Authorization Check: A conditional check for client authorization (source.UseClientAuthorization()) has been re-added before attempting to parse a bearer token. This ensures that token retrieval only occurs when client authorization is explicitly required.
Fix for Accidental Regression: This change addresses a regression introduced in a previous refactoring (refactor(sources/cloudhealthcare): move source implementation in Invoke() function to Source #2273) where the authorization checks were inadvertently removed, leading to potential issues if not properly handled.
Consistent Application Across Cloud Healthcare Tools: The authorization check logic has been consistently applied across multiple Cloud Healthcare tools, including those for FHIR page fetching, patient operations, dataset/DICOM/FHIR store management, and DICOM instance/series/study searches.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request addresses a regression by re-introducing a necessary authorization check before parsing bearer tokens. The fix is applied consistently across 15 different tool implementations. The logic of the fix is correct. However, this change highlights a significant amount of code duplication for token handling across these files. I've added a review comment with a suggestion to refactor this duplicated logic into a single helper function to improve the overall maintainability of the codebase.

internal/tools/cloudhealthcare/cloudhealthcarefhirfetchpage/cloudhealthcarefhirfetchpage.go

googleapis#2327) Previous refactoring (googleapis#2273) accidentally removed the authorization checks prior to token retrieval. This issue went unnoticed because the integration tests were disabled. I am re-adding the necessary checks.

🤖 I have created a release *beep* *boop* --- ## [0.26.0](v0.25.0...v0.26.0) (2026-01-22) ### ⚠ BREAKING CHANGES * Validate tool naming ([#2305](#2305)) ([5054212](5054212)) * **tools/cloudgda:** Update description and parameter name for cloudgda tool ([#2288](#2288)) ([6b02591](6b02591)) ### Features * Add new `user-agent-metadata` flag ([#2302](#2302)) ([adc9589](adc9589)) * Add remaining flag to Toolbox server in MCP registry ([#2272](#2272)) ([5e0999e](5e0999e)) * **embeddingModel:** Add embedding model to MCP handler ([#2310](#2310)) ([e4f60e5](e4f60e5)) * **sources/bigquery:** Make maximum rows returned from queries configurable ([#2262](#2262)) ([4abf0c3](4abf0c3)) * **prebuilt/cloud-sql:** Add create backup tool for Cloud SQL ([#2141](#2141)) ([8e0fb03](8e0fb03)) * **prebuilt/cloud-sql:** Add restore backup tool for Cloud SQL ([#2171](#2171)) ([00c3e6d](00c3e6d)) * Support combining multiple prebuilt configurations ([#2295](#2295)) ([e535b37](e535b37)) * Support MCP specs version 2025-11-25 ([#2303](#2303)) ([4d23a3b](4d23a3b)) * **tools:** Add `valueFromParam` support to Tool config ([#2333](#2333)) ([15101b1](15101b1)) ### Bug Fixes * **tools/cloudhealthcare:** Add check for client authorization before retrieving token string ([#2327](#2327)) ([c25a233](c25a233)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.26.0](v0.25.0...v0.26.0) (2026-01-22) ### ⚠ BREAKING CHANGES * Validate tool naming ([#2305](#2305)) ([5054212](5054212)) * **tools/cloudgda:** Update description and parameter name for cloudgda tool ([#2288](#2288)) ([6b02591](6b02591)) ### Features * Add new `user-agent-metadata` flag ([#2302](#2302)) ([adc9589](adc9589)) * Add remaining flag to Toolbox server in MCP registry ([#2272](#2272)) ([5e0999e](5e0999e)) * **embeddingModel:** Add embedding model to MCP handler ([#2310](#2310)) ([e4f60e5](e4f60e5)) * **sources/bigquery:** Make maximum rows returned from queries configurable ([#2262](#2262)) ([4abf0c3](4abf0c3)) * **prebuilt/cloud-sql:** Add create backup tool for Cloud SQL ([#2141](#2141)) ([8e0fb03](8e0fb03)) * **prebuilt/cloud-sql:** Add restore backup tool for Cloud SQL ([#2171](#2171)) ([00c3e6d](00c3e6d)) * Support combining multiple prebuilt configurations ([#2295](#2295)) ([e535b37](e535b37)) * Support MCP specs version 2025-11-25 ([#2303](#2303)) ([4d23a3b](4d23a3b)) * **tools:** Add `valueFromParam` support to Tool config ([#2333](#2333)) ([15101b1](15101b1)) ### Bug Fixes * **tools/cloudhealthcare:** Add check for client authorization before retrieving token string ([#2327](#2327)) ([c25a233](c25a233)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> 86bf7bf

🤖 I have created a release *beep* *boop* --- ## [0.26.0](googleapis/genai-toolbox@v0.25.0...v0.26.0) (2026-01-22) ### ⚠ BREAKING CHANGES * Validate tool naming ([googleapis#2305](googleapis#2305)) ([5054212](googleapis@5054212)) * **tools/cloudgda:** Update description and parameter name for cloudgda tool ([googleapis#2288](googleapis#2288)) ([6b02591](googleapis@6b02591)) ### Features * Add new `user-agent-metadata` flag ([googleapis#2302](googleapis#2302)) ([adc9589](googleapis@adc9589)) * Add remaining flag to Toolbox server in MCP registry ([googleapis#2272](googleapis#2272)) ([5e0999e](googleapis@5e0999e)) * **embeddingModel:** Add embedding model to MCP handler ([googleapis#2310](googleapis#2310)) ([e4f60e5](googleapis@e4f60e5)) * **sources/bigquery:** Make maximum rows returned from queries configurable ([googleapis#2262](googleapis#2262)) ([4abf0c3](googleapis@4abf0c3)) * **prebuilt/cloud-sql:** Add create backup tool for Cloud SQL ([googleapis#2141](googleapis#2141)) ([8e0fb03](googleapis@8e0fb03)) * **prebuilt/cloud-sql:** Add restore backup tool for Cloud SQL ([googleapis#2171](googleapis#2171)) ([00c3e6d](googleapis@00c3e6d)) * Support combining multiple prebuilt configurations ([googleapis#2295](googleapis#2295)) ([e535b37](googleapis@e535b37)) * Support MCP specs version 2025-11-25 ([googleapis#2303](googleapis#2303)) ([4d23a3b](googleapis@4d23a3b)) * **tools:** Add `valueFromParam` support to Tool config ([googleapis#2333](googleapis#2333)) ([15101b1](googleapis@15101b1)) ### Bug Fixes * **tools/cloudhealthcare:** Add check for client authorization before retrieving token string ([googleapis#2327](googleapis#2327)) ([c25a233](googleapis@c25a233)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> 86bf7bf

fix: add check for client authorization before retrieving token string

96f13dd

Yuan325 requested a review from a team as a code owner January 16, 2026 19:03

blunderbuss-gcf bot assigned duwenxin99 Jan 16, 2026

Merge branch 'main' into healthcare-fix

7ef303a

Yuan325 enabled auto-merge (squash) January 16, 2026 19:04

gemini-code-assist bot reviewed Jan 16, 2026

View reviewed changes

internal/tools/cloudhealthcare/cloudhealthcarefhirfetchpage/cloudhealthcarefhirfetchpage.go Show resolved Hide resolved

duwenxin99 approved these changes Jan 16, 2026

View reviewed changes

Yuan325 merged commit c25a233 into main Jan 20, 2026
12 checks passed

Yuan325 deleted the healthcare-fix branch January 20, 2026 18:57

release-please bot mentioned this pull request Jan 20, 2026

chore(main): release 0.26.0 #2286

Merged

BrewTestBot mentioned this pull request Jan 23, 2026

mcp-toolbox 0.26.0 Homebrew/homebrew-core#264117

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: add check for client authorization before retrieving token string #2327

fix: add check for client authorization before retrieving token string #2327

Uh oh!

Yuan325 commented Jan 16, 2026

Uh oh!

gemini-code-assist bot commented Jan 16, 2026

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

fix: add check for client authorization before retrieving token string #2327

fix: add check for client authorization before retrieving token string #2327

Uh oh!

Conversation

Yuan325 commented Jan 16, 2026

Uh oh!

gemini-code-assist bot commented Jan 16, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants